Adobe ColdFusion Bug: CFQuery Tag Leaks SQL To Output Within Array Iteration

By Ben Nadel

Published 2025-08-27 in ColdFusion — Comments (3)

Things on this blog have been fairly quiet lately — in a post-Lucy world, my brain has been less focused. I've been trying to keep it busy by working on my Big Sexy Poems app (GitHub). And, while doing so, I've run into to a few wild bugs in ColdFusion. The first of which is that the CFQuery tag appears to leak its SQL statement into the output buffer if invoked from within array iteration mechanics.

To demonstrate, I have a CFFunction that invokes a CFQuery tag to perform a query-of-queries (QoQ). The QoQ isn't necessary — this just allows me to demonstrate the issue without an actual database. But, the tag-based nature of the demo is necessary. Meaning, this issue isn't present in the queryExecute() method, only in the CFQuery tag.

In the following code, I invoke this function / query in three different contexts:

Directly.
Within synchronous array iteration.
Within asynchronous array iteration.

<hr />
<!--- No iteration. --->
<pre><cfset foo()></pre>
<hr />

<!--- Iteration in series mechanics. --->
<pre><cfset arrayEach( ["a","b","c"], foo, false )></pre>
<hr />

<!--- Iteration in parallel mechanics. --->
<pre><cfset arrayEach( ["a","b","c"], foo, true )></pre>
<hr />

<!--- TAG SYNTAX (output="false"). --->
<cffunction name="foo" returnType="void" output="false">

	<cfset var data = queryNew( "id,name" ) />

	<cfquery name="local.results" result="local.metaResults" dbtype="query">
		SELECT * FROM [data]
	</cfquery>

</cffunction>

When I run this in Adobe ColdFusion 2021, I get the following page output:

--------------------
--------------------
SELECT * FROM [data]
SELECT * FROM [data]
SELECT * FROM [data]
--------------------
SELECT * FROM [data]
SELECT * FROM [data]
SELECT * FROM [data]
--------------------

In Adobe ColdFusion 2021, the directive invocation of foo() is fine. But, both the synchronous and the asynchronous array iteration context causes the SQL statement to leak into the output buffer.

When I run this in Adobe ColdFusion 2025, I get the following page output:

--------------------
--------------------
--------------------
SELECT * FROM [data]
SELECT * FROM [data]
SELECT * FROM [data]
--------------------

In Adobe ColdFusion 2025, only the asynchronous array iteration context causes the SQL statement to leak into the output buffer.

I've never noticed this before because I usually use the CFContent tag to clear the output buffer at the top of each layout rendering. But, I happen to forget this tag in one small part of BigSexyPoems, and suddenly I was getting SQL statements dumped to my page response.

Want to use code from this post? Check out the license.

Short link: https://bennadel.com/4830

Reader Comments

Ben Nadel Aug 27, 2025 at 9:58 AM

16,109 Comments

I've filed this bug in the Adobe Tracker: CF-4227689.

James Moberg Sep 15, 2025 at 11:36 PM

93 Comments

I see that you are mixing var and local scopes in the function. Do you know if that creates any issues? (If I use local in a function, I've been ensuring that anything that uses var is switched to use local for consistency.

NOTE: In order to query a local-scoped variable in a QoQ, you'll need to use brackets... ie, [local].data.

I tried your proof-of-concept on TryCF and it threw an error. I tried it on CFFiddle and received an error indicating that the cfQuery tag isn't supported. #smh

Ben Nadel Sep 16, 2025 at 10:12 AM

16,109 Comments

@James,

Yeah, I don't think you can use cfquery in any of the online services because it's a database permissions thing. That said, as far as I know using var and using local should be functionally the same thing. If they operated differently, I think that would also be a bug.

Reader Comments

Post A Comment — ❤️ I'd Love To Hear From You! ❤️

Post A Comment — I'd Love To Hear From You!